recon / OSINT [Open Source Intelligence]Oxford Handbook of Naonal Security Intelligence The Tao of Open Source Intelligence Infosec InsMtute osinuramework.com owasp.org digital-forensics.sans.org

recon/OSINT[OpenSourceIntelligence]

TRAVERSINGDOWNTHERABBITHOLE

EricHart--CreditSuisse

INTELLIGENCEGATHERINGANDRECONNAISSANCE

Ifyoudon’tknowwhereyou’regoinganyroadwillgetyouthere.


ManyCommuniMes|OnePurpose

•  Governments

•  IntelligenceCommuniMes

•  ArmedForces

•  HomelandSecurity

•  LawEnforcementAgencies

•  Businesses


ManyGoals|OnePurpose•  GatherasmuchinformaMonaspossiblefromallavailablesourcesandanalyzingittodoonething:

• ProduceAc*onableIntelligence*


*pentest-standard.org

AllroadsleadtoNirvana…ordothey?


INTELLIGENCETHEORY

•  IntelligenceistheulMmateparadox

•  AssumpMonsmustbeexplicit

•  Intelligencecanproducebenefitsandcanalsobeharmful

•  Intelligencecannotbepredicted,onlyrecommended

•  Intelligencecanproduceunintendedoutcomes

OxfordHandbookofNaMonalSecurityIntelligence–Dr.PeterGill


INTELLIGENCETHEORY

•  TheCriMcalRealistApproach•  CausaMonthroughinteracMonbetweenactorsandstructures•  Processescannotbeobserved•  Evidenceshouldbetestedagainstthehypotheses|applicaMonofalternaMvetheoriesandmodels

OxfordHandbookofNaMonalSecurityIntelligence-PeterGill


INTELLIGENCETHEORY

•  Intelligenceisasubsetofsurveillance•  Theheartofriskmanagementcombinesknowledgeandpower


IntelligenceAc*vi*esTargeMngCollecMonAnalysisDisseminaMonAcMon

POWER


INTELLIGENCETHEORY

•  DefensiveSurveillancevsIntelligence

•  DefensiveSurveillance=Risk•  Intelligence=Threats



INTELLIGENCETHEORY

•  FourTypesofKnowledgeandPower

•  Certainty–outcomesareknown,clarityofpreferenceisneeded•  Risk–benefitsandadverseeffectsareknown,probabilityofvariousoutcomes

•  Uncertainty–Possibleoutcomesareknown,nowaytoesMmateprobability

•  Ignorance–cannotanMcipateadverseeffects,magnitude,relevanceandprobabilityareunknown



KNOWLEDGE

POWER

INTELLIGENCETHEORY

•  WhatisIntelligenceorOSINT?•  [Art+Craa+Science+Capability(read:DomainKnowledge]–RichardsJ.Heuer

TheTaoofOpenSourceIntelligence–StewartK.Bertram


•  OSINT|FourconceptsorFourLayeredApproach

•  MulMlayered

•  Cybergeography•  MixedMedium

•  Tangibility


INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram

•  MulMlayered•  SurfaceWeb

•  CommonKnowledge**caveatemptor–GoogleisNOTtheinternet•  GenerallynotsensiMvedata•  Availableviamainstreambrowsers

•  DeepWeb•  Notindexedbymainsearchengines•  CannotbereadbyconvenMonaltechnology•  InformaMononindividualsislocatedherebutnoteasilyaccessible

•  DarkWeb•  Accessedbyanonymizedmethods(TOR)•  OaenusedforcriminalacMviMes



•  CyberGeography•  Regionbased

•  Anglophone•  Russophone•  Etc.

•  DividedlinguisMcally•  Knowingonlyonelanguagediminishessuccess

•  Beware‘single-sourceintelligence’



•  MixedMedium•  Notsingle-sourced•  ComplexcombinaMonofsearchanddisplaytechnologies

•  Eachcomponentrequiresauniquesetoftechniquestomaster

•  RisksandoperaMonalrequirementsmustbeevaluatedbeforebeingputintouse



•  Tangibility•  ‘Realworld’vstheInternet•  Importancetothehumanexperience?•  Relevancetobasicneeds,eg.stableelectricityandcleanwater



ELEMENTSOFOSINT

• OSINT–4Elements• Uncovering• DiscriminaMon• Refining• Delivering

InfosecInsMtute


4Elements|SMllonepurpose:ProduceAcMonableIntelligence

ELEMENTSOFOSINT

• OSINT–Uncovering• Whoknowsaboutthedata?• Wheredowelook?• Whichdataisappropriate• LeveragedistributedexperMseandknowledge

InfosecInsMtute


ELEMENTSOFOSINT

• OSINT–DiscriminaMon• Disseminatebetweenthegoodandthebad• Eliminatetheoutdatedandirrelevant

InfosecInsMtute


ELEMENTSOFOSINT

• OSINT–Refining• Assemblingthefinaloutput• Lengthdependsuponrelevantdata

InfosecInsMtute


ELEMENTSOFOSINT

• OSINT–Delivery• MustbegiveninproperMme• Formathastobeclearandeasilyunderstandable

InfosecInsMtute


ELEMENTSOFOSINT •  OSINT–amaturitymodel•  Corporate•  Individual•  CovertGathering•  FootprinMng•  IdenMfyProtecMonMechanisms

•  3LevelsofInformaMonGathering•  Level1|Compliance•  Level2|BestPracMce•  Level3|StateSponsored

www.pentest-standard.org


OSINTFRAMEWORK

EricHart--CreditSuisseEricHart--CreditSuisse

ELEMENTSOFOSINT

•  OWASP–TesMngFrameworkPhase1:BeforeDevelopmentBeginsPhase2:DuringDefiniMonandDesignPhase3:DuringDevelopmentPhase4:DuringDeploymentPhase5:MaintenanceandOperaMons

www.owasp.org


ELEMENTSOFOSINT

•  OWASP–TesMngFrameworkPhase1:BeforeDevelopmentBegins1.1:DefineaSDLC1.2:ReviewPoliciesandStandards1.3:DevelopMeasurementandMetricsCriteriaandEnsureTraceability

www.owasp.org


ELEMENTSOFOSINT

•  OWASP–TesMngFrameworkPhase2:DuringDefiniMonandDesign2.1:ReviewSecurityRequirements2.2:ReviewDesignandArchitecture2.3:CreateandReviewUMLModels2.4:CreateandReviewThreatModels

www.owasp.org


ELEMENTSOFOSINT

•  OWASP–TesMngFrameworkPhase3:DuringDevelopment3.1:CodeWalkThrough3.2:CodeReviews

www.owasp.org


ELEMENTSOFOSINT

•  OWASP–TesMngFrameworkPhase4:DuringDevelopment4.1:ApplicaMonPenetraMonTesMng4.2:ConfiguraMonManagementTesMng

www.owasp.org


ELEMENTSOFOSINT

•  OWASP–TesMngFrameworkPhase5:MaintenanceandOperaMons5.1:OperaMonalManagementReviews5.2:PeriodicHealthChecks5.3:EnsureChangeVerificaMon

www.owasp.org


ELEMENTSOFOSINTdigital-forensics.sans.org


IPAddresses

DomainNames

Network/HostArMfacts

Tools

TTPs Tough!

Challenging

Annoying

Easy

Trivial

CollecMveIntelligenceFramework

collecMveintel.net•  REN-ISACproject•  PullsinfeedofIOC’sfrompublicandprivatesources

•  Focusesonlowerendof“pyramidofpain”•  Exportsdatatoinfrastructureorsupportslookupduringresponse


FrameworkandMethodologyComparison ProgramObjec*vesUsedforComparisonCriteria

FrameworkorMethodology

SponsoringOrganiza*on

ProgramStructure ControlBaseline RiskTriage RiskBusinessCase

COBIT5 ISACA 4 2 0 0DSS PCI 0 2 0 0FAIR TheOpenGroup 0 0 2 4IRAM2 ISF 3 0 2 2ISO27000x ISO 4 1 0 0ISO31000 ISO 2 0 0 0SANS-20 CSC 0 3 0 0SP800-30 NIST 2 4 2 2SP800-53 NIST 1 4 1 0UCF UnifiedCompliance 0 3 0 0

HarveyBallfillpercentageindicatesrelaMvestrengthwithineachprogramobjecMvefromnone(0)tostrong(4).

GartnerResearch

AFrameworkisjustaguideline SoisOSINT


!

APPENDIX

Sources:pentest-standard.orgOxfordHandbookofNaMonalSecurityIntelligenceTheTaoofOpenSourceIntelligenceInfosecInsMtuteosinuramework.comowasp.orgdigital-forensics.sans.orgverizon.comDavidJ.BlancoGartnerResearch EricHart--CreditSuisse

QUIZ


•  NamethefirsttwoofficialintelligenceagenciesformedintheUS?

•  InwhatyearwastheCIAfirstformed?•  WhenwasGaryPowersshotdown?•  WhichTCPportishackedmostoaen?•  Windows8isa_____ringprocessmodeoperaMngsystem?

•  Namethem•  WhichofthefollowingismostcommonlyusedtodisableDEPin

Windows7orWindows8?•  VirtualAlloc()•  WriteProcessMemory()•  VirtualProtect()•  NtSetInformaMonProcess()

Thankyou!

[email protected]

Documents

recon / OSINT [Open Source Intelligence]Oxford Handbook of Naonal Security Intelligence The Tao of Open Source Intelligence Infosec InsMtute osinuramework.com owasp.org digital-forensics.sans.org